The detection identifies potential Mirai botnet command-and-control (C2) communication attempts through known malicious URLs, indicating possible compromise of endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Mirai-related botnet activity before it leads to widespread network infiltration.
IOC Summary
Threat: mirai Total URLs: 11 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://144.91.86.92/luxzzxzzx/luxzz.arm7 | online | malware_download | 2026-04-22 |
hxxp://208.84.100.209/wget.sh | online | malware_download | 2026-04-22 |
hxxp://58.47.120.129:34202/bin.sh | online | malware_download | 2026-04-22 |
hxxp://110.37.44.158:56889/bin.sh | online | malware_download | 2026-04-22 |
hxxp://222.246.110.97:47547/bin.sh | online | malware_download | 2026-04-22 |
hxxp://120.37.212.103:56557/bin.sh | online | malware_download | 2026-04-22 |
hxxp://120.28.180.87:34162/i | online | malware_download | 2026-04-22 |
hxxp://58.47.120.129:34202/i | online | malware_download | 2026-04-22 |
hxxp://45.177.32.104:45637/i | online | malware_download | 2026-04-22 |
hxxp://47.215.185.216:53633/i | online | malware_download | 2026-04-22 |
hxxp://120.37.212.103:56557/i | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["222.246.110.97", "47.215.185.216", "45.177.32.104", "120.37.212.103", "120.28.180.87", "208.84.100.209", "144.91.86.92", "110.37.44.158", "58.47.120.129"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["222.246.110.97", "47.215.185.216", "45.177.32.104", "120.37.212.103", "120.28.180.87", "208.84.100.209", "144.91.86.92", "110.37.44.158", "58.47.120.129"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool to validate its effectiveness.
Filter/Exclusion: Exclude URLs that match the known test URLs used by the Mirai vulnerability scanner (e.g., http://test-mirai-scan.example.com/scan).
Scenario: A scheduled job runs a network discovery tool (e.g., nmap) to map internal network devices, and one of the discovered devices is flagged as a Mirai-related URL.
Filter/Exclusion: Exclude URLs that match the internal IP address range or are associated with network discovery tools like nmap or arp-scan.
Scenario: A security analyst is using a threat intelligence platform (e.g., CrowdStrike Falcon, Microsoft Defender) to manually check for Mirai-related URLs during an incident response.
Filter/Exclusion: Exclude URLs that are part of the analyst’s own threat intelligence database or known benign test URLs used in security assessments.
Scenario: A CI/CD pipeline includes a script that fetches a Mirai-related exploit repository for educational purposes (e.g., GitHub or GitLab).
Filter/Exclusion: Exclude URLs that are whitelisted in the CI/CD environment or match known educational or research repositories (e.g., https://github.com/ethical-hacking/mirai-exploits).
Scenario: A system is running a legitimate security tool (e.g., OSSEC, Snort) that periodically checks for known malicious URLs, including those associated with Mirai.
Filter/Exclusion: Exclude URLs that are part of the tool’s own signature database or are known to be used for legitimate security testing and monitoring.